[openssl-users] Meaning of OCSP_NOEXPLICIT for OCSP_basic_verify()
Stephan Mühlstrasser
stm at pdflib.com
Tue Feb 24 08:35:37 UTC 2015
Am 18.02.15 um 13:19 schrieb Stephan Mühlstrasser:
>
> Unfortunately the "-no_explicit" command line option is not documented:
>
> https://www.openssl.org/docs/apps/ocsp.html
>
> What is the meaning of setting the OCSP_NOEXPLICIT flag resp. using the
> "-no_explicit" command line option. What exactly is checked by the
> X509_check_trust() call above with respect to the relevant RFCs?
>
As there is no documentation and as noone seems to know the meaning of
the -no_explicit for "openssl ocsp", should I file a documentation
defect in RT for that?
If I understand the code in OCSP_basic_verify() that is depending on the
OCSP_NOEXPLICIT flag correctly, it checks the root CA for the presence
of the OCSPSigning flag in the extended key usage field. I could not
find anything in RFC 6960 and RFC 2560 that would mandate such a check
for the root CA certificate. Only the OCSP signing certificate must have
OCSPSigning in the extended key usage field.
So maybe it is even a bug in the code itself?
--
Stephan
More information about the openssl-users
mailing list